It’s still too easy for bad actors and others to download ePHI onto thumb drives. And do most covered entities even realize it has happened or is happening?
WDAM in Mississippi reports that Hattiesburg Clinic has been notifying patients of unauthorized access to their records by a former optometry provider who allegedly accessed their records to send letters notifying patients about his new employer.
The clinic states they first became aware of the breach, which occurred between December 11 and December 31, 2014 on January 23rd. They do not say how they learned of the breach, other than that they were made aware of it.
Notification letters, dated March 20th, explained that the doctor had copied patients’ contact information onto a thumb drive that he took with him to his new employer to enable him to send out letters notifying patients of his new employment. The clinic recovered the thumb drive and received assurances that neither the doctor nor the Hattiesburg Eye Clinic, his new employer, retained any information.
Although the clinic indicates it reported the incident to HHS, the incident does not yet appear on HHS’s public breach tool, so either it should appear shortly, or the breach impacted less than 500 patients.
This post will be updated if the incident appears on the public breach tool.